$800,000 penalty for data theft and underage sign-ups is highest ever given to app developer.
The US Federal Trade Commission (FTC) has issued its biggest ever fine to an app builder, accused of accessing customers’ private data without permission.
Path, a social networking app that lets mobile device users share photos and instant messages, was ordered to pay $800,000 (£509,517) by the FTC after it found the company had misled customers.
According to the commission, the app offered users “no meaningful choice” about the collection of personal data from their phone and would upload the names, email addresses, phone numbers, and Facebook and Twitter usernames to its servers, regardless of whether the customer had given it permission to.
The app offered users no meaningful choice about the collection of personal data
The issue was discovered almost exactly a year before the fine was issued, by action.io developer Arun Thampi.
Dave Morin, co-founder and chief executive of Path defended the move, saying: “We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.”
However, in a blog post, Morin then claimed the company had deleted “the entire collection of user uploaded contact information from [its] servers”.
Moreover, the app is also understood to have allowed children under the age of 13 to sign up to the service without parental permission, which is illegal in the US. The FTC said approximately 3,000 children did sign up to Path, which currently has around 6 million users.
Morin defended his company, saying in another blog post: “As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13.
“Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age [sic] accounts that had mistakenly been allowed to be created.”
Nevertheless, Jon Leibowitz, in his last day in charge of the FTC, said: “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”
The agency also warned all app developers and handset makers to improve data security, adding that a “rush to release may result in dangerous security oversights”.